Monday, January 31, 2005

Trustworthy Computing in Academia (or lack thereof)

One of the things that I worry about related to trustworthy computing is the state of education on TWC topics in computer science programs today. When I go around and talk to professors, I ask them whether their students are taught even simple stuff, like how to avoid buffer overflows and the most common security bugs. Almost none of them say "yes."

As a graduating Computer Science student at the University of Michigan, I have to completely agree with Schofield here. There is an absolute lack of "TWC" topics in the CS curriculum. It's a deep-rooted problem, and unfortunately, not one that is destined to change any time soon.

For better or for worse, it is not the goal of university Computer Science programs to train future <insert-tech-company-name-here> employees. Universities see certain topics as fundamental to Computer Science: Discrete Math, Data Structures, Algorithms, Computer Organization and Architecture, Computation Theory, etc. Other topics, ranging from specific programming languages such as Java to specialized areas such as Web-Database Applications and Computer Networks are not seen as core to academic Computer Science, but rather specialized and practical applications of it, and are offered as electives.

"Computer Security and Trustworthy Computing" is offered here at U of M about every other semester, assuming a professor has a desire to teach it. It is considered an elective, right alongside Computer Networks, User Interfaces, and Computer Game Design. It has as a prerequisite another 400-level Computer Science course which happens to also be an elective, making Computer Security only available to a very small set of students in their final semesters who have taken all the right classes up to that point.

If areas such as Operating Systems, Databases, and Computer Networks can't make it into the core Computer Science curriculum, it's not realistic to expect that TWC can, in the form of its own course -- not anytime soon.

Instead of pushing for the addition of TWC to the curriculum in the form of courses, TWC advocates should push for the incorporation of foundational principles of Trustworthy Computing into existing course curriculums. Projects in all existing courses that rely on programming projects (and even those that don't!) should teach security principles in the same way that grade school teachers teach spelling and grammar -- by correcting spelling mistakes and reinforcing proper grammar principles even in projects where spelling and grammar are not necessarily the sole purposes of the assignments.

Computer Science instructors that grade programming assignments should catch, point out, and even take credit off for buffer overflows and other security vulnerabilities. Currently, this is something that just doesn't happen, and as a result, students leave the University for software development jobs without any concept of common security principles and practices. Can you predict what happens next?

Finally, it's worth noting that beyond incorporating TWC principles into existing curriculums, it's crucial that professors lead by example! In the web database course I'm taking this semester, the course web server where we work on our assignments was configured in such a way where students could easily view each others work. Upon being notified of the situation, the professor requested that students change the permissions on their files. Yet students could still view each others work if they so desired since the web server user still had permission to read the files and we were coding in php (which can easily open/read/output files on the system to which the web server user has access). Upon being notified of this, the professor created a workaround by having students store their work in directories whose names ended with a string of random numbers. Aside from serving as a great example of security through obscurity (a bad thing.. mmkay?), students could still see these strings in the world-readable web server log file.

The bottom line is that students expect teachers to lead by example. They will remember the actions of their teachers far longer than the course material itself (in this same web database course, we spent 2 whole lecturse covering web-app security principles -- and for what?). In this case, students walk away from the course thinking security through obscurity is an acceptable workaround to a security problem.

Don't let my little anecdote leave a bad taste in your mouth with respect to the University of Michigan CS program. The professor is actually quite amazing and an all-star in his field. But, just as with the students leaving universities across the country (and the world?) today, perhaps TWC concepts were never core to his area of study. Security comes only as an afterthought.. whose fault is that?